Some computer systems must be designed to operate in a secure environment. For example, tactical edge platforms that are employed on military aircraft may be required to operate in a secure or secret mode. By operating in a secure mode, a computer system processes data and communicates with various peripheral units in a manner that maintains the security of the data and significantly mitigates against the risk of any unsecured access to the data.
As used herein, the security level of a computer system relates to the classification level or compartmental level of the devices or users connected to the computer system or the data transmitted via the computer system. In general, an unsecure network is a computer system in which the network infrastructure has no knowledge of the classification levels of the devices connected to the network port. On the other hand, a secure network is a computer system in which the network infrastructure, with a high degree of assurance, can maintain separation of data traversing the network and can guarantee that the data entering a given port is only accessible to a subset of the available ports based on a set of rules.
One example of a computer system designed to operate in a secure manner is a tactical edge platform which includes a mission computer and a number of peripheral units connected to the mission computer via a physical network, such as a MIL-STD 1553 bus (hereinafter a “1553 bus”). As shown in FIG. 1, for example, the mission computer 12 of a tactical edge platform 10 may include two or more general purpose processors (GPPs) 14. Each GPP will be in communication with one or more 1553 buses, each of which is connected to one or more peripheral units so as to, for example, balance the loads of the GPPs. The tactical edge platform may include a variety of peripheral units including a navigation suite having an initial navigation system (INS) 16, a tactical suite including a radar warning receiver (RWR) 18 and a radar 20, a communications suite including a multifunctional information distribution system (MIDS) 22, and an air vehicle suite including an air data computer (ADC) 24, a data transfer unit (DTU) 26 and a maintenance port 28. The peripheral units can have various security classification levels. For example, the INS and the ADC are typically unclassified, while the RWR is typically classified as secret when in operation. Additionally, some peripheral units may have security classification levels that change. For example, the radar may be unclassified while operating in certain modes, while being classified as secret in other modes. Additionally, the DTU will generally have a classification level that is defined based upon a cartridge that is installed therewithin. Similarly, the MIDS will generally have a security classification level that is based upon the cryptographic key that is installed within the MIDS.
Although some of the peripheral units, such as the INS and the ADC may be unclassified, the entire tactical edge platform is operated at the highest security classification level of any of the peripheral units, such as at the secret mode in the example provided above. In order to insure that the tactical edge platform 10 operates in a secure manner, the tactical edge platform is designed such that a mission computer 12 controls all communications via the 1553 buses with the peripheral units. The mission computer therefore includes a security kernal that operates in a secure mode along with the device drivers, file systems, network input/output, etc.
In order to certify the tactical edge platform 10 to operate in a secure mode, the secure kernal generally undergoes a verification process to insure that the mission computer 12 can be trusted to a high assurance (HA) level. Since the mission computer controls all communication via the 1553 buses with the peripheral units, the peripheral units generally need not be similarly verified. However, since the security kernal of a conventional mission computer includes a relatively large block of software code with unlimited interaction, the verification of the mission computer including the security kernal to an HA level is typically a time-consuming and expensive process.
As exemplified by the tactical edge platform 10 of FIG. 1, if a plurality of devices of different classification levels are connected to a secure network, only the network infrastructure would need to be trusted to an HA level so that the infrastructure itself can guarantee that each device will only have access to appropriately classified data, thereby avoiding the time and expense associated with otherwise certifying that the individual devices could be trusted. Conversely, if devices of different classification levels are connected to an unsecure network, every device connected to the network would have to be trusted to an HA level since the network itself is unsecure. In other words, since data at all classification levels would be available to every device, each device would have to insure that it could not access inappropriately classified data. Since the HA certification process is quite expensive and time-consuming, a network configuration in which every device must be trusted to an HA level is generally impractical.
While the operation of an entire computer system, such as a tactical edge platform, in a secure mode has been workable, there is an increased emphasis on the development of a computer system that does not operate entirely in a secure mode, but is capable of operating in an environment having multiple levels of security, i.e., within a multi level security (MLS) environment, while maintaining appropriate separation of data of different security classification levels. In this regard, there is an emphasis to transition from a computer network utilizing a 1553 bus to a computer system utilizing a high speed backplane, such as the Ethernet, and a more ubiquitous protocol, such as internet protocol (IP). If computer systems, such as tactical edge platforms, transition to an Ethernet network, but still require that the entire computer system only operate in a secure mode, each of the general purpose Ethernet infrastructure devices, such as the switches and routers, would need to be certified to be trusted at an HA level, thereby rendering such a design relatively infeasible due to the costs and risks of having any, let alone, each device evaluated at an HA level. Accordingly, it would be desirable to develop a computer system in which portions of the computer system operated in accordance with an unsecure or, at least, a less secure mode, while other portions of the computer system operated in a more secure mode, thereby limiting the device(s) and/or code that must be certified to the HA level.
Office networks and command and control (C2) networks have been developed which concurrently support both secure and unsecure modes of operation. In this regard, an office or a C2 network is designed to connect general purpose computing devices, such as workstations, printers, mass storage, etc., to any port of a network switching device and to be able to locate, or be located by, other devices on a network using protocols such as domain name system (DNS), dynamic host configuration protocol (DHCP) and address resolution protocol (ARP). The workstations connected to such a network will typically be executing large, complex operating systems, such as UNIX or Windows, with a great degree of control available to the operator. Moreover, the processes that are executed by the various devices may be quite dynamic and under the direct control of multiple human operators. In addition, with the proper credentials, operators can typically manipulate the devices from remote locations.
The design objectives of an office or a C2 network diverge dramatically from those of a tactical edge platform which generally has a specific, well known set of special purpose devices connected to specific ports of the network switch. Each device is configured to perform a specific set of tasks with little or no operator intervention. In this regard, operator input is very limited with little or no mechanism for an operator to introduce new processes into the system that are not already resident or that have not undergone extensive testing. Additionally, a tactical edge platform is generally configured in such a manner that it is physically impossible to modify the hardware configuration while in operation, with only qualified technicians having physical access to the platform during maintenance procedures.
The computer systems developed for an office or a C2 network to provide an HA MLS environment are generally inapplicable for tactical edge platform environments. In particular, an office and a C2 network generally provide for routing and data filtering which increase the size and complexity of the underlying software code. As such, if an effort were made to certify an office or a C2 network for use as a tactical edge platform, the software code associated with the routing and data filtering would have to be verified to the HA level even though the tactical edge platform would either not need all of the routing and data filtering functionality or could provide some of the routing and data filtering functionality in a manner that did not require as high of a security classification level. Additionally, an office and a C2 system generally utilizes devices, such as workstations, that are too large and too heavy for most, if not all, tactical edge platforms which are, instead, designed to be deployed under significant size and weight restrictions. Additionally, the power consumption of a typical office or C2 system is also generally much greater than that allowed of a tactical edge platform.
Accordingly, it would be desired to provide a computer system configured to operate in accordance with a plurality of different security classifications which, in one embodiment, could satisfy the size, weight and power requirements imposed upon a tactical edge platform.